                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.62.0 (30 Oct 2018)

Daniel Stenberg (30 Oct 2018)
- RELEASE-NOTES: 7.62.0

- THANKS: 7.62.0 status

Daniel Gustafsson (30 Oct 2018)
- vtls: add MesaLink to curl_sslbackend enum
  
  MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the
  backend was never added to the curl_sslbackend enum in curl/curl.h.
  This adds the new backend to the enum and updates the relevant docs.
  
  Closes #3195
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (30 Oct 2018)
- [Ruslan Baratov brought this change]

  cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable
  
  Closes #3191

- test2080: verify the fix for CVE-2018-16842

- voutf: fix bad arethmetic when outputting warnings to stderr
  
  CVE-2018-16842
  Reported-by: Brian Carpenter
  Bug: https://curl.haxx.se/docs/CVE-2018-16842.html

- [Tuomo Rinne brought this change]

  cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in
  
  Closes #3123

- [Tuomo Rinne brought this change]

  cmake: add find_dependency call for ZLIB to CMake config file

- [Tuomo Rinne brought this change]

  cmake: add support for transitive ZLIB target

- unit1650: fix "null pointer passed as argument 1 to memcmp"
  
  Detected by UndefinedBehaviorSanitizer
  
  Closes #3187

- travis: add a "make tidy" build that runs clang-tidy
  
  Closes #3182

- unit1300: fix stack-use-after-scope AddressSanitizer warning
  
  Closes #3186

- Curl_auth_create_plain_message: fix too-large-input-check
  
  CVE-2018-16839
  Reported-by: Harry Sintonen
  Bug: https://curl.haxx.se/docs/CVE-2018-16839.html

- Curl_close: clear data->multi_easy on free to avoid use-after-free
  
  Regression from b46cfbc068 (7.59.0)
  CVE-2018-16840
  Reported-by: Brian Carpenter (Geeknik Labs)
  
  Bug: https://curl.haxx.se/docs/CVE-2018-16840.html

- [randomswdev brought this change]

  system.h: use proper setting with Sun C++ as well
  
  system.h selects the proper Sun settings when __SUNPRO_C is defined. The
  Sun compiler does not define it when compiling C++ files.  I'm adding a
  check also on __SUNPRO_CC to allow curl to work properly also when used
  in a C++ project on Sun Solaris.
  
  Closes #3181

- rand: add comment to skip a clang-tidy false positive

- test1651: unit test Curl_extract_certinfo()
  
  The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.

- x509asn1: always check return code from getASN1Element()

- Makefile: add 'tidy' target that runs clang-tidy
  
  Available in the root, src and lib dirs.
  
  Closes #3163

- RELEASE-PROCEDURE: adjust the release dates
  
  See: https://curl.haxx.se/mail/lib-2018-10/0107.html

Patrick Monnerat (27 Oct 2018)
- x509asn1: suppress left shift on signed value
  
  Use an unsigned variable: as the signed operation behavior is undefined,
  this change silents clang-tidy about it.
  
  Ref: https://github.com/curl/curl/pull/3163
  Reported-By: Daniel Stenberg

Michael Kaufmann (27 Oct 2018)
- multi: Fix error handling in the SENDPROTOCONNECT state
  
  If Curl_protocol_connect() returns an error code,
  handle the error instead of switching to the next state.
  
  Closes #3170

Daniel Stenberg (27 Oct 2018)
- RELEASE-NOTES: synced

- openssl: output the correct cipher list on TLS 1.3 error
  
  When failing to set the 1.3 cipher suite, the wrong string pointer would
  be used in the error message. Most often saying "(nil)".
  
  Reported-by: Ricky-Tigg on github
  Fixes #3178
  Closes #3180

- docs/CIPHERS: fix the TLS 1.3 cipher names
  
  ... picked straight from the OpenSSL man page:
  https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
  
  Reported-by: Ricky-Tigg on github
  Bug: #3178

Marcel Raad (27 Oct 2018)
- travis: install gnutls-bin package
  
  This is required for gnutls-serv, which enables a few more tests.
  
  Closes https://github.com/curl/curl/pull/2958

Daniel Gustafsson (26 Oct 2018)
- ssh: free the session on init failures
  
  Ensure to clear the session object in case the libssh2 initialization
  fails.
  
  It could be argued that the libssh2 error function should be called to
  get a proper error message in this case. But since the only error path
  in libssh2_knownhost_init() is memory a allocation failure it's safest
  to avoid since the libssh2 error handling allocates memory.
  
  Closes #3179
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Daniel Stenberg (26 Oct 2018)
- docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date
  
  ... I'm moving it up one week due to travels. The rest stays.

- [Daniel Gustafsson brought this change]

  openssl: make 'done' a proper boolean
  
  Closes #3176

- gtls: Values stored to but never read
  
  Detected by clang-tidy
  
  Closes #3176

- [Alexey Eremikhin brought this change]

  curl.1: --ipv6 mutexes ipv4 (fixed typo)
  
  Fixes #3171
  Closes #3172

- tool_main: make TerminalSettings static
  
  Reported-by: Gisle Vanem
  Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819
  Closes #3161

- curl-config.in: remove dependency on bc
  
  Reported-by: Dima Pasechnik
  Fixes #3143
  Closes #3174

- [Gisle Vanem brought this change]

  rtmp: fix for compiling with lwIP
  
  Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
    curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
      setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
      ^
    curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
    #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                   ^
  Closes #3155

- configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
  
  Follow-up to #3166 which did the cmake part of this. This type/define is
  not used.
  
  Closes #3168

- [Ruslan Baratov brought this change]

  cmake: remove unused variables
  
  Remove variables:
  * HAVE_SOCKLEN_T
  * CURL_SIZEOF_CURL_SOCKLEN_T
  * CURL_TYPEOF_CURL_SOCKLEN_T
  
  Closes #3166

Michael Kaufmann (25 Oct 2018)
- urldata: Fix comment in header
  
  The "connecting" function is used by multiple protocols, not only FTP

- netrc: free temporary strings if memory allocation fails
  
  - Change the inout parameters after all needed memory has been
    allocated. Do not change them if something goes wrong.
  - Free the allocated temporary strings if strdup() fails.
  
  Closes #3122

Daniel Stenberg (24 Oct 2018)
- [Ruslan Baratov brought this change]

  config: Remove unused SIZEOF_VOIDP
  
  Closes #3162

- RELEASE-NOTES: synced

GitHub (23 Oct 2018)
- [Gisle Vanem brought this change]

  Fix for compiling with lwIP (3)
  
  lwIP on Windows does not have a WSAIoctl() function.
  But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.

Daniel Stenberg (23 Oct 2018)
- Curl_follow: return better errors on URL problems
  
  ... by making the converter function global and accessible.
  
  Closes #3153

- Curl_follow: remove remaining free(newurl)
  
  Follow-up to 05564e750e8f0c. This function no longer frees the passed-in
  URL.
  
  Reported-by: Michael Kaufmann
  Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm
  ent-30985666

Daniel Gustafsson (23 Oct 2018)
- headers: end all headers with guard comment
  
  Most headerfiles end with a /* <headerguard> */ comment, but it was
  missing from some. The comment isn't the most important part of our
  code documentation but consistency has an intrinsic value in itself.
  This adds header guard comments to the files that were lacking it.
  
  Closes #3158
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Jay Satiro (23 Oct 2018)
- CIPHERS.md: Mention the options used to set TLS 1.3 ciphers
  
  Closes https://github.com/curl/curl/pull/3159

Daniel Stenberg (20 Oct 2018)
- docs/BUG-BOUNTY: the sponsors actually decide the amount
  
  Retract the previous approach as the sponsors will be the ones to set the
  final amounts.
  
  Closes #3152
  [ci skip]

- multi: avoid double-free
  
  Curl_follow() no longer frees the string. Make sure it happens in the
  caller function, like we normally handle allocations.
  
  This bug was introduced with the use of the URL API internally, it has
  never been in a release version
  
  Reported-by: Dario Weißer
  Closes #3149

- multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
  
  Otherwise, closing that handle can still cause surprises!
  
  Reported-by: Martin Ankerl
  Fixes #3138
  Closes #3147

Marcel Raad (19 Oct 2018)
- VS projects: add USE_IPV6
  
  The Visual Studio builds didn't use IPv6. Add it to all projects since
  Visual Studio 2008, which is verified to build via AppVeyor.
  
  Closes https://github.com/curl/curl/pull/3137

- config_win32: enable LDAPS
  
  As done in the autotools and CMake builds by default.
  
  Closes https://github.com/curl/curl/pull/3137

Daniel Stenberg (18 Oct 2018)
- travis: add build for "configure --disable-verbose"
  
  Closes #3144

Kamil Dudka (17 Oct 2018)
- tool_cb_hdr: handle failure of rename()
  
  Detected by Coverity.
  
  Closes #3140
  Reviewed-by: Jay Satiro

Daniel Stenberg (17 Oct 2018)
- RELEASE-NOTES: synced

- docs/SECURITY-PROCESS: the hackerone IBB program drops curl
  
  ... now there's only BountyGraph.

Jay Satiro (16 Oct 2018)
- [Matthew Whitehead brought this change]

  x509asn1: Fix SAN IP address verification
  
  For IP addresses in the subject alternative name field, the length
  of the IP address (and hence the number of bytes to perform a
  memcmp on) is incorrectly calculated to be zero. The code previously
  subtracted q from name.end. where in a successful case q = name.end
  and therefore addrlen equalled 0. The change modifies the code to
  subtract name.beg from name.end to calculate the length correctly.
  
  The issue only affects libcurl with GSKit SSL, not other SSL backends.
  The issue is not a security issue as IP verification would always fail.
  
  Fixes #3102
  Closes #3141

Daniel Gustafsson (15 Oct 2018)
- INSTALL: mention mesalink in TLS section
  
  Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the
  MesaLink vtls backend, but missed updating the TLS section containing
  supported backends in the docs.
  
  Closes #3134
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Marcel Raad (14 Oct 2018)
- nonblock: fix unused parameter warning
  
  If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
  used.

Michael Kaufmann (13 Oct 2018)
- Curl_follow: Always free the passed new URL
  
  Closes #3124

Viktor Szakats (12 Oct 2018)
- replace rawgit links [ci skip]
  
  Ref: https://rawgit.com/ "RawGit has reached the end of its useful life"
  Ref: https://news.ycombinator.com/item?id=18202481
  Closes https://github.com/curl/curl/pull/3131

Daniel Stenberg (12 Oct 2018)
- docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018
  
  [ci skip]

- travis: make distcheck scan for BOM markers
  
  and remove BOM from projects/wolfssl_override.props
  
  Closes #3126

Marcel Raad (11 Oct 2018)
- CMake: remove BOM
  
  Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea.
  
  Reported-by: Viktor Szakats
  Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136

Daniel Gustafsson (10 Oct 2018)
- transfer: fix typo in comment

Michael Kaufmann (10 Oct 2018)
- docs: add "see also" links for SSL options
  
  - link TLS 1.2 and TLS 1.3 options
  - link proxy and non-proxy options
  
  Closes #3121

Marcel Raad (10 Oct 2018)
- AppVeyor: remove BDIR variable that sneaked in again
  
  Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added
  again in 9f3be5672dc4dda30ab43e0152e13d714a84d762.

- CMake: disable -Wpedantic-ms-format
  
  As done in the autotools build. This is required for MinGW, which
  supports only %I64 for printing 64-bit values, but warns about it.
  
  Closes https://github.com/curl/curl/pull/3120

Viktor Szakats (9 Oct 2018)
- ldap: show precise LDAP call in error message on Windows
  
  Also add a unique but common text ('bind via') to make it
  easy to grep this specific failure regardless of platform.
  
  Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
  Closes https://github.com/curl/curl/pull/3118
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>

Daniel Stenberg (9 Oct 2018)
- docs/DEPRECATE: minor reformat to render nicer on web

Daniel Gustafsson (9 Oct 2018)
- CURLOPT_SSL_VERIFYSTATUS: Fix typo
  
  Changes s/OSCP/OCSP/ and bumps the copyright year due to the change.

Marcel Raad (9 Oct 2018)
- curl_setup: define NOGDI on Windows
  
  This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
  on MinGW.
  
  Closes https://github.com/curl/curl/pull/3113

- Windows: fixes for MinGW targeting Windows Vista
  
  Classic MinGW has neither InitializeCriticalSectionEx nor
  GetTickCount64, independent of the target Windows version.
  
  Closes https://github.com/curl/curl/pull/3113

Daniel Stenberg (8 Oct 2018)
- TODO: fixed 'API for URL parsing/splitting'

Daniel Gustafsson (8 Oct 2018)
- KNOWN_BUGS: Fix various typos
  
  Closes #3112
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Viktor Szakats (8 Oct 2018)
- spelling fixes [ci skip]
  
  as detected by codespell 1.14.0
  
  Closes https://github.com/curl/curl/pull/3114
  Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>

Daniel Stenberg (8 Oct 2018)
- RELEASE-NOTES: synced

- curl_ntlm_wb: check aprintf() return codes
  
  ... when they return NULL we're out of memory and MUST return failure.
  
  closes #3111

- docs/BUG-BOUNTY: proposed additional docs
  
  Bug bounty explainer. See https://bountygraph.com/programs/curl
  
  Closes #3067

- [Rick Deist brought this change]

  hostip: fix check on Curl_shuffle_addr return value
  
  Closes #3110

- FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
  
  Now FILE transfers send headers to the header callback like HTTP and
  other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
  work for FILE in the callbacks.
  
  Makes "curl -i file://.." and "curl -I file://.." work like before
  again. Applied the bold header logic to them too.
  
  Regression from c1c2762 (7.61.0)
  
  Reported-by: Shaun Jackman
  Fixes #3083
  Closes #3101

Daniel Gustafsson (7 Oct 2018)
- gskit: make sure to terminate version string
  
  In case a very small buffer was passed to the version function, it could
  result in the buffer not being NULL-terminated since strncpy() doesn't
  guarantee a terminator on an overflowed buffer. Rather than adding code
  to terminate (and handle zero-sized buffers), move to using snprintf()
  instead like all the other vtls backends.
  
  Closes #3105
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Viktor Szakats <commit@vszakats.net>

- TODO: add LD_PRELOAD support on macOS
  
  Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394.

- runtests: skip ld_preload tests on macOS
  
  The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests
  requiring it.
  
  Fixes #2394
  Closes #3106
  Reported-by: Github user @jakirkham
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Marcel Raad (7 Oct 2018)
- AppVeyor: use Debug builds to run tests
  
  This enables more tests.
  
  Closes https://github.com/curl/curl/pull/3104

- AppVeyor: add HTTP_ONLY build
  
  Closes https://github.com/curl/curl/pull/3104

- AppVeyor: add WinSSL builds
  
  Use the oldest and latest Windows SDKs for them.
  Also, remove all but one OpenSSL build.
  
  Closes https://github.com/curl/curl/pull/3104

- AppVeyor: add remaining Visual Studio versions
  
  This adds Visual Studio 9 and 10 builds.
  There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32
  build. Also, VC9 cannot be used for running the test suite.
  
  Closes https://github.com/curl/curl/pull/3104

- AppVeyor: break long line
  
  Closes https://github.com/curl/curl/pull/3104

- AppVeyor: remove unused BDIR variable
  
  Closes https://github.com/curl/curl/pull/3104

Daniel Stenberg (6 Oct 2018)
- test2100: test DoH using IPv4-only
  
  To make it only send one DoH request and avoid the race condition that
  could lead to the requests getting sent in reversed order and thus
  making it hard to compare in the test case.
  
  Fixes #3107
  Closes #3108

- tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too
  
  [ci skip]

- RELEASE-NOTES: synced

- [Dmitry Kostjuchenko brought this change]

  timeval: fix use of weak symbol clock_gettime() on Apple platforms
  
  Closes #3048

- doh: keep the IPv4 address in (original) network byte order
  
  Ideally this will fix the reversed order shown in SPARC tests:
  
    resp 8: Expected 127.0.0.1 got 1.0.0.127
  
  Closes #3091

Jay Satiro (5 Oct 2018)
- INTERNALS.md: wrap lines longer than 79

Daniel Gustafsson (5 Oct 2018)
- INTERNALS: escape reference to parameter
  
  The parameter reference <string> was causing rendering issues in the
  generated HTML page, as <string> isn't a valid HTML tag. Fix by back-
  tick escaping it.
  
  Closes #3099
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- checksrc: handle zero scoped ignore commands
  
  If a !checksrc! disable command specified to ignore zero errors, it was
  still added to the ignore block even though nothing was ignored. While
  there were no blocks ignored that shouldn't be ignored, the processing
  ended with with a warning:
  
  <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
   /* !checksrc! disable LONGLINE 0 */
                      ^
  Fix by instead treating a zero ignore as a a badcommand and throw a
  warning for that one.
  
  Closes #3096
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- checksrc: enable strict mode and warnings
  
  Enable strict and warnings mode for checksrc to ensure we aren't missing
  anything due to bugs in the checking code. This uncovered a few things
  which are all fixed in this commit:
  
  * several variables were used uninitialized
  * several variables were not defined in the correct scope
  * the whitelist filehandle was read even if the file didn't exist
  * the enable_warn() call when a disable counter had expired was passing
    incorrect variables, but since the checkwarn() call is unlikely to hit
    (the counter is only decremented to zero on actual ignores) it didn't
    manifest a problem.
  
  Closes #3090
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>

Marcel Raad (5 Oct 2018)
- CMake: suppress MSVC warning C4127 for libtest
  
  It's issued by older Windows SDKs (prior to version 8.0).

Sergei Nikulov (5 Oct 2018)
- Merge branch 'dmitrykos-fix_missing_CMake_defines'

- [Dmitry Kostjuchenko brought this change]

  cmake: test and set missed defines during configuration
  
  Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.
  
  Closes #3097

Marcel Raad (5 Oct 2018)
- AppVeyor: disable test 500
  
  It almost always results in
  "starttransfer vs total: 0.000001 0.000000".
  I cannot reproduce this locally, so disable it for now.
  
  Closes https://github.com/curl/curl/pull/3100

- AppVeyor: set custom install prefix
  
  CMake's default has spaces and in 32-bit mode parentheses, which result
  in syntax errors in curl-config.
  
  Closes https://github.com/curl/curl/pull/3100

- AppVeyor: Remove non-SSL non-test builds
  
  They don't add much value.
  
  Closes https://github.com/curl/curl/pull/3100

- AppVeyor: run test suite
  
  Use the preinstalled MSYS2 bash for that.
  Disable test 1139 as the CMake build doesn't generate curl.1.
  
  Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224
  Closes https://github.com/curl/curl/pull/3100

- AppVeyor: use in-tree build
  
  Required to run the tests.
  
  Closes https://github.com/curl/curl/pull/3100

Daniel Stenberg (4 Oct 2018)
- doh: make sure TTL isn't re-inited by second (discarded?) response
  
  Closes #3092

- test320: strip out more HTML when comparing
  
  To make the test case work with different gnutls-serv versions better.
  
  Reported-by: Kamil Dudka
  Fixes #3093
  Closes #3094

Marcel Raad (4 Oct 2018)
- runtests: use Windows paths for Windows curl
  
  curl generated by CMake's Visual Studio generator has "Windows" in the
  version number.

Daniel Stenberg (4 Oct 2018)
- [Colin Hogben brought this change]

  tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
  
  Fix problems caused by differences in treatment of bytes objects between
  python2 and python3.
  
  Fixes #2929
  Closes #3080

Daniel Gustafsson (3 Oct 2018)
- memory: ensure to check allocation results
  
  The result of a memory allocation should always be checked, as we may
  run under memory pressure where even a small allocation can fail. This
  adds checking and error handling to a few cases where the allocation
  wasn't checked for success. In the ftp case, the freeing of the path
  variable is moved ahead of the allocation since there is little point
  in keeping it around across the strdup, and the separation makes for
  more readable code. In nwlib, the lock is aslo freed in the error path.
  
  Also bumps the copyright years on affected files.
  
  Closes #3084
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- comment: Fix multiple typos in function parameters
  
  Ensure that the parameters in the comment match the actual names in the
  prototype.
  
  Closes #3079
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- CURLOPT_SSLVERSION.3: fix typos and consistent spelling
  
  Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was
  already done in all but a few cases. Also fix a few typos.
  
  Closes #3076
  Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

- SECURITY-PROCESS: make links into hyperlinks
  
  Use proper Markdown hyperlink format for the Bountygraph links in order
  for the generated website page to be more user friendly. Also link to
  the sponsors to give them a little extra credit.
  
  Closes #3082
  Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Jay Satiro (3 Oct 2018)
- CURLOPT_HEADER.3: fix typo

- nss: fix nssckbi module loading on Windows
  
  - Use .DLL extension instead of .so to load modules on Windows.
  
  Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
  Reported-by: Maxime Legros
  
  Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442
  
  Closes https://github.com/curl/curl/pull/3086

- data-binary.d: clarify default content-type is x-www-form-urlencoded
  
  - Advise user that --data-binary sends a default content type of
    x-www-form-urlencoded, and to have the data treated as arbitrary
    binary data by the server set the content-type header to octet-stream.
  
  Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094
  
  Closes https://github.com/curl/curl/pull/3085

Marcel Raad (2 Oct 2018)
- test1299: use single quotes around asterisk
  
  Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580

Daniel Stenberg (2 Oct 2018)
- docs/CIPHERS: mention the colon separation for OpenSSL
  
  Bug: #3077

- runtests: ignore disabled even when ranges are given
  
  runtests.pl support running a range of tests, like "44 to 127". Starting
  now, the code makes sure that even such given ranges will ignore tests
  that are marked as disabled.
  
  Disabled tests can still be run by explictly specifying that test
  number.
  
  Closes #3075

- urlapi: starting with a drive letter on win32 is not an abs url
  
  ... and libcurl doesn't support any single-letter URL schemes (if there
  even exist any) so it should be fairly risk-free.
  
  Reported-by: Marcel Raad
  
  Fixes #3070
  Closes #3071

Marcel Raad (2 Oct 2018)
- doh: fix curl_easy_setopt argument type
  
  CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
  MinGW.

Daniel Stenberg (2 Oct 2018)
- RELEASE-NOTES: synced

Jay Satiro (1 Oct 2018)
- [Ruslan Baratov brought this change]

  CMake: Improve config installation
  
  Use 'GNUInstallDirs' standard module to set destinations of installed
  files.
  
  Use uppercase "CURL" names instead of lowercase "curl" to match standard
  'FindCURL.cmake' CMake module:
  * https://cmake.org/cmake/help/latest/module/FindCURL.html
  
  Meaning:
  * Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
  * User should call 'find_package(CURL)' instead of 'find_package(curl)'
  
  Use 'configure_package_config_file' function to generate
  'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
  file smaller and handle components better.  E.g.  current configuration
  report no error if user specified unknown components (note: new
  configuration expects no components, report error if user will try to
  specify any).
  
  Closes https://github.com/curl/curl/pull/2849

Daniel Stenberg (1 Oct 2018)
- test1650: make it depend on http/2
  
  Follow-up to 570008c99da0ccbb as it gets link errors.
  
  Reported-by: Michael Kaufmann
  Closes #3068

- [Nate Prewitt brought this change]

  MANUAL: minor grammar fix
  
  Noticed a typo reading through the docs.
  
  Closes #3069

- doh: only build if h2 enabled
  
  The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
  of HTTP for use with DoH".
  
  Reported-by: Marcel Raad
  Closes #3066

- test2100: require http2 to run
  
  Reported-by: Marcel Raad
  Fixes #3064
  Closes #3065

- multi: fix memory leak in content encoding related error path
  
  ... a missing multi_done() call.
  
  Credit to OSS-Fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
  Closes #3063

- travis: bump the Secure Transport build to use xcode 10
  
  Due to an issue with travis
  (https://github.com/travis-ci/travis-ci/issues/9956) we've been using
  Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as
  an alternative and as it builds curl+darwinssl fine that seems like a
  better choice.
  
  Closes #3062

- [Rich Turner brought this change]

  curl: enabled Windows VT Support and UTF-8 output
  
  Enabled Console VT support (if running OS supports VT) in tool_main.c.
  
  Fixes #3008
  Closes #3011

- multi: fix location URL memleak in error path
  
  Follow-up to #3044 - fix a leak OSS-Fuzz detected
  Closes #3057

Sergei Nikulov (28 Sep 2018)
- cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...)

- [Brad King brought this change]

  cmake: Backport to work with CMake 3.0 again
  
  Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets
  instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake:
  bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix
  issue #2746.  This broke support for users on older versions of CMake
  even if they just want to build curl and do not care whether transitive
  dependencies work.
  
  Backport the logic to work with CMake 3.0 again by implementing the
  fix only when the version of CMake is at least 3.4.

Marcel Raad (27 Sep 2018)
- curl_threads: fix classic MinGW compile break
  
  Classic MinGW still has _beginthreadex's return type as unsigned long
  instead of uintptr_t [0]. uintptr_t is not even defined because of [1].
  
  [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
  [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90
  
  Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
  Closes https://github.com/curl/curl/pull/3051

Daniel Stenberg (26 Sep 2018)
- configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
  
  fix a few leftovers
  
  Fixes #3006
  Closes #3049

- [Doron Behar brought this change]

  example/htmltidy: fix include paths of tidy libraries
  
  Closes #3050

- RELEASE-NOTES: synced

- Curl_http2_done: fix memleak in error path
  
  Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
